Thanks everyone for the feedback on Yubikeys being stolen! I've tried to summarize it all in a footnote, and downgraded the severity of my original starting paragraph. Thanks for reading!
Author of the post here - you have a good point with regard to SSH/GPG. (I do have a PIN on my keys.) I was targeting more the U2F standpoint - as in if you're using it for 2FA, it's obviously no better than a password if someone else can just press the little yellow button :)
it's obviously no better than a password if someone else can just press the little yellow button :)
If you're using it as a second factor via U2F, the point isn't to be better than a password or to replace a password. The point is to be different. Specifically, the point is to be proof of physical possession. If they steal it, then you still have a memorized password as an authentication barrier.
The problem you raise in your blog post is a good one. People do tend to forget their security keys in their computers. However, making the security key the only required factor seems counterproductive. As an alternative, how about a background daemon that enumerates attached U2F/FIDO devices and reminds you to remove anything that's left in for more than a couple minutes?
Most places where I use the FIDO feature of Yubi (e.g. Github), you still need to provide username and password. So an abandoned Yubi is still of limited use assuming your password is stored securely.
Hey guys, thanks for all the comments! I realized that it was not an ethical idea to post, so I decided to take it down. I did not get a cease and desist, but I would appreciate if you could refrain from reposting it.
If you are interested in seeing some of my other (more ethical) work, check out Delphus [1], an open research study management platform which I am working on at my new startup ;)
I'm not sure about this, still. I'd consider it roughly equivalent to posting a POC for an exploit: it could be abused, could be uses for academic learning, or could be used to improve systems. It's not inherently bad.
They'd have your stunnel server IP, so if they were really, really determined they could probably track you down by forcing your ISP/VPS provider to identify you.
I doubt they'd bother for $45 worth of WiFi, but personally I would err on the side of caution.
Thank you! I suspect the answer is "most", especially if they allow HTTPS in any way. The way to solve this issue is to either whitelist IPs/host the site internally on the local network (e.g. most captive portals).
We're actually trying to do something very similar at https://delph.us.
We also have operational encryption, multi-researcher studies, and soon an end-to-end encrypted chat system between researchers and participants using Matrix.
